[ISN] NIST releases security controls proposal

From: InfoSec News (isn@private)
Date: Tue Nov 04 2003 - 02:40:00 PST

Next message: InfoSec News: "[ISN] Four ways to secure your company on a shoestring budget"

Previous message: InfoSec News: "[ISN] New rules cut hackers less slack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.fcw.com/fcw/articles/2003/1103/web-nist-11-03-03.asp

By Diane Frank 
Nov. 3, 2003

The National Institute for Standards and Technology today released the 
first draft of a publication describing mandated security controls for 
federal information systems.

NIST officials want agencies to experiment with the initial public
draft, "Special Publication 800-53: Recommended Security Controls for
Federal Information Systems." [1] It outlines electronic and physical
controls for systems categorized under three levels of potential
impacts, such as what would happen if someone steals information from
a federal system and modifies the data or disrupts a government
service.

Low-, medium- and high-impact levels are defined in draft "Federal 
Information Processing Standard (FIPS) 199: Standards for Security 
Categorization of Federal Information and Information Systems." NIST 
officials released the final draft of that standard in September. 

Controls outlined in the Publication 800-53 draft fall into three 
classes -- management, operational and technical — and are then broken 
down further into families. For example, under the management class, 
families include security planning and acquisition of information 
systems and services. Operational class families focus on issues such 
as incident response and contingency planning and operations.

NIST's Computer Security Division plans to use agencies' comments from 
the initial draft and an open workshop in March to develop final 
security controls that would become the new "FIPS 200: Minimum 
Security Controls for Federal Information Systems."

FIPS 199 and 200 are required under the Federal Information Security 
Management Act of 2002. NIST expects to publish FIPS 200 in the fall 
of 2005, when its controls will become mandatory for all federal 
agencies.

Comments are due by Jan. 31, 2004, and may be submitted to 
sec-cert@private

[1] http://csrc.nist.gov/publications/drafts.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Four ways to secure your company on a shoestring budget"
Previous message: InfoSec News: "[ISN] New rules cut hackers less slack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 04:58:35 PST